Forum Discussion
Convert a SINGLE user from Federated to Managed Authentication and then BACK to Federated... HOW?
Do your users authenticate with Domain\Username? If so this change will not affect how the user is logging on to their local machine. I usually just let Outlook prompt stating that it is no longer connected to Microsoft Exchange and prompts for the username and password. Hope this helps! ch0wd0wn
Yes you are correct, on prem AD with AAD Connect with password sync turned on (eventhough we are using federated authentication through PingFederate)
Ok the only change I'll make is to the UPN for the user. I just want to make sure this doesn't impact his day to day activities like logging into windows...etc which it shouldn't. Do I need to recreate Outlook profile or should I just let it prompt for updated credentials?
Let me try this method first, its easy enough.
Bryan Haslip
Do your users authenticate with Domain\Username? If so this change will not affect how the user is logging on to their local machine. I usually just let Outlook prompt stating that it is no longer connected to Microsoft Exchange and prompts for the username and password. Hope this helps! ch0wd0wn
Yes they use domain\username for the most part. THanks so much for the tip!
Hey Bryan
Changing the UPN worked, however the user now can't get into Outlook and authenticate or his mobile device... he basically has to use OWA. The authentication keeps prompting over and over even if we created a new Outlook profile. I thought that this should authenticate the user regardless of the application he was using... any thoughts?
Sorry for the slow response! Have you tried clearing out the credential manager on the local machine? ch0wd0wn
Hi ch0wd0wn
It may be an issue with the domain federation. If AAD detects the domain requires to sign in from services like AD FS etc., then the domain will be redirected when the user enters the email address into M365.
So what may be happening is, when the user connected to outlook on the device, it performs a domain check. If the domain requires authentication via AD FS, then the user would be redirected to that endpoint to login. At this point, the claim token would not match for the users in AAD. The login would fail.
If you can not switch off the redirection for the domain authentication, try getting the user to use the onmicrosoft.com address. All users in AzureAD have username@tenant.onmicrosoft.com address.
